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United States Southern Command's 







¥\ Lt Col J. Andrew Pettigrew, III, USAF 


E v ' he U.S. Southern Com- 
I mand (USSOUTHCOM) 
pursues a Strategy of Coopera¬ 
tive Regional Peacetime Engage¬ 
ment founded on hemispheric 
cooperation. The strategy em¬ 
phasizes the importance of re¬ 
gional, collaborative, multilater¬ 
al approaches and the value of 
communications. Essential to 
this strategy is sharing informa¬ 
tion with nations in the US¬ 
SOUTHCOM Area of Responsi¬ 
bility (AOR). According¬ 
ly, USSOUTHCOM is es¬ 
tablishing information¬ 
sharing networks using 
the existing theater in¬ 
frastructures such as the 
Internet and commer¬ 
cial satellite connectivi¬ 
ty as the supporting 
communications back¬ 
bone. The Americas’ 

Net (AMNET), modeled 
after the Partnership for 
Peace initiative in Europe, is the 
most mature of the information¬ 
sharing networks that support 
USSOUTHCOM’s regional en¬ 
gagement strategy. The 
Caribbean Information-Sharing 
Network (CISN) is being devel¬ 
oped. Finally, the Southern 
Command Information Ex¬ 
change System (SCIES) net¬ 
work, also in development, will 
support the exchange of re¬ 
leasable classified information 
with AOR nations. 

AMNET consists of an Amer¬ 
icas’ Net file and E-mail server, 
a home page, and Internet con¬ 
nectivity for the U.S. Military 
Groups (USMILGP) and partici¬ 
pating nation senior military 
leadership in the USSOUTH¬ 


COM AOR. By automating in- 
formation-sharing and commu¬ 
nications, it creates an environ¬ 
ment conducive to regional co¬ 
operation in the Americas and 
the Caribbean. It provides a 
framework for enhanced politi¬ 
cal and military cooperation 
and facilitates interaction for 
joint multilateral activities, 
such as humanitarian and civic 
assistance, nation building, and 
peacekeeping. The system al¬ 


lows member nations to share 
lessons learned immediately, 
participate in planning ex¬ 
changes directly, coordinate ex¬ 
ercise development on-line, 
and make direct doctrinal com¬ 
parisons. 

AMNET archives its mission 
by using Internet resources. An 
array of Web browser-accessible 
software and user-friendly tools 
afford participating nations 
password-protected access to, 
and exchange of information 
concerning a variety of subjects, 
such as security strategies, 
emergency planning, profes¬ 
sional military education, multi¬ 
lateral exercises, doctrine and 
policies, public affairs, and envi¬ 
ronmental concerns. Fully oper¬ 


ational since May 1997, AMNET 
has been continually upgraded 
to meet evolving regional en¬ 
gagement requirements. The In¬ 
ternet Web site was established 
with Secure Socket Layer (SSL) 
and password protection. By 
using Cold Fusion as a back-end 
Web application server, AMNET 
manages and delivers informa¬ 
tion dynamically. The Web site 
offers extensive links to U.S. 
military home pages, Latin 
American Web re¬ 
sources, military 
schools, countries of 
interest, briefings, and 
fact sheets. Additional 
features include a 
Web-integrated real¬ 
time chat room, a bul¬ 
letin board with 
threaded discussion 
groups and E-mail no¬ 
tification, and a search 
engine. AMNET also 
provides E-mail capability. 
Planned AMNET enhance¬ 
ments include modernizing 
equipment, bandwidth, and net¬ 
work infrastructure. Password 
authentication with user access 
levels for each page in the site is 
being developed. This feature 
will add security by enabling 
users to see only what their ac¬ 
cess level allows. 

USSOUTHCOM headquarters 
is assisting military forces and 
law enforcement agencies in the 
Caribbean Basin of the US¬ 
SOUTHCOM AOR in establish¬ 
ing an information-sharing net¬ 
work to enhance bilateral and 
multilateral cooperation in com¬ 
bating transnational threats and 

continued on page 4 
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continued from page 3 

addressing issues of common 
concern. The CISN network 
will be established in three 
phases: Phase 1, encrypted E- 
mail and attachments; Phase 2, 
Virtual Private Network (VPN) 
with a central server imple¬ 
mentation; Phase 3, VPN with 
multiple servers. 

CISN Phase 1, already opera¬ 
tional, enables users to encrypt 
E-mail and attachments using 
PGP (Pretty Good Privacy®), a 
commercial software applica¬ 
tion from Network Associates, 
Inc. CISN Phase 2 will imple¬ 
ment a VPN and a Collabora¬ 
tive Virtual Workspace (CVW) 
server. Initial operational capa¬ 
bility for Phase 2 is scheduled 
for October 1999. The VPN will 
be an encrypted communica¬ 
tions link between CISN re¬ 


mote workstations and the 
CISN intranet that passes 
through the public Internet. 
The VPN will use a combina¬ 
tion of authentication, data en¬ 
cryption, and tunneling to cre¬ 
ate a secure channel between 
users and the CISN network. 
The VPN will rely on remote 
access accounts that allow the 
users to dial in to an Internet 
service provider (ISP), establish 
a connection to the Internet, 
and then identify themselves to 
the CISN VPN authentication 
system. The CISN VPN will ver¬ 
ify a user’s identity on the basis 
of user name and password. On 
successful authentication, tun¬ 
neling or an encrypted session 
will be set up between the VPN 
user and the CISN VPN server, 
thus protecting the privacy and 
integrity of data exchanged be¬ 


tween the remote workstation 
and the CISN intranet. 

USSOUTHCOM is also devel¬ 
oping a multilevel security net¬ 
work, SCIES, to share counter¬ 
drug planning, intelligence, and 
operations data with participat¬ 
ing nations in the theater. The 
system will consist of off-the- 
shelf hardware and software 
connected to existing local area 
networks via approved multi¬ 
level security devices and fire¬ 
walls. Specific functions to be 
accomplished through SCIES in¬ 
clude scheduling and approval 
for diplomatic clearance of over¬ 
flights and sharing of the re¬ 
leasable portions of counterdrug 
intelligence data and the Global 
Command and Control System 
(GCCS) Common Operating Pic- 

continued on page 21 
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Y ou may have heard the 
rumor: Technology makes 
computer network defense diffi¬ 
cult enough. Then along comes 
some lawyer saying you can’t 
protect your networks the way 
you want. Perhaps this article 
will give you some encourage¬ 
ment. It briefly reviews some 
of the rules and suggests that 
the situation might not be as 
bad as rumor indicates. 

Most readers of this newslet¬ 
ter know the threat described 
in the 1997 report of the Presi¬ 
dent’s Commission on Critical 
Infrastructure Protection. Com¬ 
puter networks can undergo 
anonymous cyber attacks that 
can be mounted remotely in 
minutes with little or no de¬ 
tectable preparation or re¬ 
hearsal. Over the last few 
years, the threat has increased. 
More countries have an¬ 
nounced plans to develop infor¬ 
mation warfare capabilities and 
the technology used to mount 
these attacks is more readily 
available and easier to use than 
ever before. Likewise, many 
companies are fielding new 
technologies that protect on¬ 
line privacy but also make it 
harder to track hackers. In 
these circumstances, how do 
we defend our networks? 

We can choose many courses 
of action. The passive options 
are easy. We can shut down our 
networks or divert the attacker, 
if we know the attacker is com¬ 
ing and how he will attack. Ac¬ 
tive options are also easy. Arrest 
him (if he’s domestic) or use the 
full weight of national power (if 
he’s sponsored by a foreign 


state), if we can find him. The 
hard choice is to get the right in¬ 
formation to the decision mak¬ 
ers so they can take the right ac¬ 
tion. Meeting that challenge can 
look like transforming the puz¬ 
zle on the right of Figure 1 to the 
one on the left. 



Figure 1. The Law (and culture) as we 
would like it A and as it appears >. 


How do we make the puzzle 
pieces fit? This article looks 
briefly at some tools that help 
pull the pieces together: the 
Computer Fraud and Abuse 
Act, the Electronic Communi¬ 
cations Privacy Act, the fourth 
amendment to the U.S. Consti¬ 
tution, intelligence oversight 
rules, counterintelligence guid¬ 
ance, and some international 
initiatives. 

Overview of Domes¬ 
tic Criminal Law 

We must start by understand¬ 
ing that computer intrusions 
are crimes, most of which are 
governed by the Computer 
Fraud and Abuse Act (Title 18, 
United States Code, Section 
1030). The law is summarized 


below, but the details of partic¬ 
ular cases can lead to complica¬ 
tions, so consult your lawyer. 
The punishments for each of¬ 
fense vary depending on the 
seriousness of the intent or 
outcome. 

With this brief definition of 
what conduct is criminal, we 
can turn to ways of catching 
the hacker. The first line of de¬ 
fense is often the Electronic 
Communications Privacy Act 



(ECPA) and its "service 
provider" exception (Title 18, 
United States Code, Section 
2511). Generally, ECPA makes 
it illegal to wiretap and pro¬ 
vides stiff penalties for viola¬ 
tions. However, it sensibly al¬ 
lows electronic communication 
service providers to protect 
their rights and property by in¬ 
tercepting successful and at¬ 
tempted hacking. This provi¬ 
sion is the legal foundation for 
deploying intrusion detectors 
and databases. DoD network 
operators are then supposed to 
report suspected intrusions to 

continued on page 6 
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continued from page 5 


Section 

Prohibits... 

(a)(1) j 

Hacking into a government computer to get classified 
information and then disclosing it 

(a)(2) | 

i 

Hacking into computers to obtain access and 
information 

(a)(3) | 

Accessing and affecting the use of nonpublic computers of 
the U.S. Government and government contractors 

(a)(5) | 

f 

Hacking and causing damage (more than a $5,000 loss of 
data or system availability to one or more victims during 
any 1-year period); intentionally, recklessly, or simply 
causing damage; including viruses 

(a)(6) ' j ' 

Trafficking in stolen passwords 

(b) j 

Attempting any of the offenses listed above 


Table 1. Computer Fraud and Abuse Act Summary 


Service law enforcement agen¬ 
cies. 

At this point, the Constitu¬ 
tion triggers significant proce¬ 
dural requirements. First, the 
fourth amendment may re¬ 
quire a search warrant if the 
computer owner is entitled to 
expect privacy. However, the 
U.S. Supreme Court has ac¬ 
knowledged a lowered expecta¬ 
tion of privacy in certain work¬ 
place situations, so a warrant 
may not be required to search a 
government computer. Also, 
certain government employees 
may consent to network server 
searches. Check with your 
lawyer for guidance. 

Statutes also impose require¬ 
ments. Certain statutes address 
access to subscriber informa¬ 
tion and communications 
stored by Internet service 
providers (ISP). Consult your 
lawyer for help in these com¬ 
plicated areas. In addition, in¬ 
vestigators can use pen register 
devices and trap-and-trace de¬ 
vices to track source and desti¬ 
nation addresses on packets 
going through computers. If 
these devices do not yield suffi¬ 
cient information, investigators 
can deploy full-content wire¬ 
taps. However, consent or court 
orders are required, and the 
procedures can be complicated. 
The defense criminal investi¬ 
gating organizations imple¬ 
ment these rules by following 
DoD 0-5505.9-M, Procedures 
for Wire, Electronic, and Oral 
Interceptions for Law Enforce¬ 
ment, May 1995. Be sure to 
consult your lawyer for help in 
these complicated areas. 

Rather than face all these 
problems, why don’t we just 
have some smart military oper¬ 
ators “hack back" at the hacker’s 
computer? First, if the hacker’s 
computer is in the United 


States, those military operators 
could be accused of violating 
the Computer Fraud and Abuse 
Act. If the ISP is foreign, our mil¬ 
itary operators will probably 
need approval from the Nation¬ 
al Command Authorities, but 
that discussion is beyond the 
scope of this article. Second, our 
operators have to find the target. 
To trace the hacker attack back 
to its source, they would nor¬ 
mally need to contact some ISPs 
between themselves and the tar¬ 
get. If an ISP does not cooper¬ 
ate, do they hack into the ISP 
and steal its log data? Obviously, 
this tactic is a bad idea. It’s clear¬ 
ly wrong; it’s a crime; and it 
would take even longer than 
using the legal process. Finally, 
suppose our smart military op¬ 
erators succeed in finding the 
hacker and erasing his hard 
drive. The hacker immediately 
reloads his hard drive from a 
CD-ROM and hacks again min¬ 
utes later. It may be frustrating 
from a military viewpoint to 
work through the law enforce¬ 
ment process, but often this 
may be the only way to develop 


enough information to identify 
and stop the intruder. 

Overview of Intelli¬ 
gence and Counter¬ 
intelligence Rules 

Foreign state threats natural¬ 
ly concern DoD even more 
than domestic threats because 
of a state’s potential to concen¬ 
trate resources. At the same 
time, intelligence operators 
must be able to gather and ana¬ 
lyze data without treading on 
U.S. citizens’ rights. (This area 
can become convoluted very 
quickly, so, again, consult your 
lawyer.) 

DoD balances these con¬ 
cerns by complying with signif¬ 
icant oversight rules that apply 
to the intelligence community 
and counterintelligence ele¬ 
ments of the U.S. Government. 
The primary statute is the For¬ 
eign Intelligence Surveillance 
Act (Title 50, United States 
Code, Sections 1801-1829). It 
allows high-level administra¬ 
tive approvals for foreign sur¬ 
veillance, but requires court or¬ 
ders for electronic surveillance 
in counterintelligence opera- 
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tions against U.S. citizens sus¬ 
pected of espionage. It estab¬ 
lishes significant procedural re¬ 
quirements similar to wiretap 
court orders under ECPA. In ad¬ 
dition, the court must conclude 
there is probable cause that the 
target is an agent of a foreign 
power. Probable cause can 
often be difficult to establish, 
especially early in a hacking 
case. In addition, significant 
guidance on intelligence activi¬ 
ties affecting U.S. citizens 
comes from Executive Order 
12333, Dec 1981; DoD Directive 
5240.1, Apr 1988; and DoD 
5240.1-R, Dec 1982. Because 
these rules greatly predate the 
Internet, their use of phrases 
like "electronic surveillance" 
and “concealed monitoring” 
merits cautious analysis. Final¬ 
ly, the intelligence community 
agencies each have regulations 
to guide their collection and 
dissemination actions. The key 
point is that the mission of the 
intelligence community is to 
gather and disseminate intelli¬ 
gence on foreign threats and 
leave domestic threats to law 
enforcement and counterintel¬ 
ligence. As a result, DoD deci¬ 
sion makers may not get "one- 
stop shopping" when trying to 
figure out where a hacker 
comes from. This area, too, can 
become convoluted very quick¬ 
ly. Again, consult your lawyer. 

International 

Initiatives 

What happens when we do 
find a foreign hacker? The un¬ 
pleasant reality is that many 
countries do not even outlaw 
hacking. For instance, New 
Zealand, one of our close allies 
and a sophisticated country, is 
outlawing hacking only this 
year. Many countries that out¬ 
law hacking do not make it an 
offense that allows extradition 

http ://iac . dtic . mil/IATAC 


to the United States. Further¬ 
more, U.S. punishments may 
be so mild that extradition may 
not be worthwhile. All of these 
factors makes investigation and 
prosecution either difficult or 
impossible. 

Two initiatives may improve 
this situation. First, the Group 
of 8 1 is negotiating a “fast- 
freeze” agreement that would 
enable one country to have an¬ 
other order ISPs freeze data 
while law enforcement seeks 
evidence across borders. Sec¬ 
ond, the Council of Europe is 
negotiating an agreement that 
may require signatory nations 
to pass laws making certain 
computer conduct criminal, 
providing for extradition for 
certain offenses, and allowing 
cross-border access to evi¬ 
dence. 

What Can You Do? 

Now that you have seen this 
brief outline, what can you do? 
First, tell the intelligence com¬ 
munity members what prod¬ 
ucts you want. They want to 
produce useful intelligence, 
and they need real cases for 
analysis to see what can and 
cannot be done. Second, use 
the ECPA "service provider ex¬ 
ception" to widely, but wisely, 
deploy intrusion detection sys¬ 
tems and share databases. 
Third, commanders and net¬ 
work operators need to seek 
case status from their law en¬ 
forcement and counterintelli¬ 
gence agents. This information 
will lead to security improve¬ 
ments. Finally, commanders 
and investigators should work 
closely with their lawyers. 
Make them write their opinions 
and alert them they will be 
working in Information Opera¬ 
tions cells. Lawyers need to 
start working now to come up 


to speed in this challenging 
area. 

Conclusion 

An old Gypsy curse says, 
“May you live in interesting 
times.” These are interesting 
times for law as we enter the 
Information Age. New prob¬ 
lems need new thinking and 
team effort, but the end re¬ 
sult-national security—is 

worth the hard work. 


Endnote 

1. The Group of 8 (G-8) was estab¬ 
lished in October 1975 to facilitate 
economic cooperation among the 
developed countries (DCs) that par¬ 
ticipated in the Conference on 
International Economic Cooper¬ 
ation (CIEC), held in several ses¬ 
sions between December 1975 and 
June 1977. Membership includes 
Canada, France, Germany, Great 
Britain, Italy, Japan, Russia, and the 
United States. 


Lt Col Charlie Williamson is current¬ 
ly the Staff Judge Advocate (SJA) for the 
Joint Task Force-Computer Network 
Defense (williamc@Jtfcnd.ia.mil). He pre¬ 
viously served as the SJA of the 314th 
Airlift Wing, Little Rock AFB, Arkansas. 
He had previous JAG assignments at 
Castle AFB, California, and Minot AFB, 
North Dakota, along with an assignment 
as a flight test manager at Hill AFB, 
Utah. He received his juris doctor from 
the University of Utah College of Law 
and his bachelor of science in mechani¬ 
cal engineering from the University of 
Southern California. 
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[ Helping Mitigate Network Security Risk 
to the Defense Information Infrastructure 


"Establishing trust in a highly distributed, 
network-centric computing environment is a fundamen¬ 
tal issue today for the Department of Defense and its 
Defense Information Infrastructure (Dll). Widely known 
and documented vulnerabilities exist throughout the 
networks and because of our increasing reliance on net¬ 
works, these vulnerabilities have the capacity to se¬ 
verely degrade our operational readiness and therefore 
endanger national security. We must shift the current 
view that information assurance/systems security con¬ 
cerns are secondary considerations to core readiness 
issues. Everyone—from the highest senior levels of 
management to the soldiers and office workers—must 
understand their responsibility as a stakeholder in the 
vitality and security of our information systems." 

—Dr. John Hamre, Deputy Secretary of Defense 


T he Department of De¬ 
fense (DoD) Computer 
Emergency Response Team 
(CERT), a branch within the 
Defense Information Systems 
Agency (DISA), is responsible 
for providing information as¬ 
surance procedures and guid¬ 
ance to the DoD community 
for protection of the Defense 
Information Infrastructure 
(DII). Accordingly, the Deputy 
Secretary of Defense instituted 
a notification process in 1998 
known as the Information As¬ 
surance Vulnerability Alert 
(IAVA) process and designated 
DISA as its manager. The IAVA 
process was created because 
DoD recognized the need for 
the Commanders-in-Chief 
(CINC), Services, and Agencies 


(C/S/A) to have a positive con¬ 
trol mechanism to ensure that 
their system administrators re¬ 
ceived, acknowledged, and 
complied with vulnerability 
alert notifications and to en¬ 
sure that corrective actions 
were taken against new and 
critical vulnerabilities. 

IAVA is a Web-based process 
that incorporates identification 
and evaluation of new vulnera¬ 
bilities, disseminates technical 
responses, and tracks compli¬ 
ance within the DoD commu¬ 
nity. As the IAVA process man¬ 
ager, DISA is responsible for 
disseminating the vulnerabili¬ 
ty notifications to C/S/A 
points of contact and providing 
an automated means for the 
points of contact to report re- 


m Lieutenant Beth A. Evans, USN 
DISA D333 


ceipt of and compliance with 
the alerts. 

Managing the IAVA 
Process 

DoD CERT has created a 
three-tiered "vulnerability hi¬ 
erarchy" for notifications. The 
first-tier notification, an alert 
or IAVA, is disseminated when 
DoD CERT documents a new 
vulnerability that poses an im¬ 
mediate, potentially severe 
threat to DoD systems. The 
IAVA requires that C/S/As re¬ 
port both receipt of the alert 
(after disseminating it to sub¬ 
ordinate organizations) and 
their compliance with the cor¬ 
rective action (s). 

The second-tier notification, 
a bulletin or IAVB, addresses 
new vulnerabilities that do not 
pose an immediate threat to 
DoD systems, but are signifi¬ 
cant enough that noncompli¬ 
ance with the corrective action 
could escalate the threat. Like 
the IAVA, the IAVB requires 
C/S/As to report receipt of the 
bulletin, but compliance re¬ 
porting is not required (com¬ 
pliance requirements and deci¬ 
sions are made by the local 
commander). However, the 
IAVB must be disseminated 
down to the system adminis¬ 
trator level within the organi¬ 
zation. 

The third-tier notification, 
the technical advisory, is gen¬ 
erated when new vulnerabili¬ 
ties exist but are generally cat- 
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egorized as low risk. Potential 
escalation of these vulnerabili¬ 
ties is deemed unlikely, but 
the advisories are issued so 
that any risk of escalation in 
the future can be mitigated. 
Reporting is not required in re¬ 
sponse to a technical advisory. 

The IAVA process allows 
waivers of the required compli¬ 
ance actions to be granted in 
response to a specific alert. 
Waivers are reviewed and 
granted by a C/S/As Designat¬ 
ed Approval Authority (DAA). 
The DAA must consider the 
risks involved, to both the local 
network and the greater DII, 
when granting a waiver. 

Determining 
rectification Type 

The DoD CERT learns of 
new vulnerabilities through in¬ 
cidents reported to DoD and 
civilian CERTs, public Internet 
resources, and vendor notifica¬ 
tions. On notification of a new 
vulnerability, DoD CERT as¬ 
sesses the threat that the vul¬ 
nerability poses to the DII 
using criteria such as the type 
of operating system and infra¬ 
structure affected by the ex¬ 
ploit, the access gained by the 
exploit, the number of exploits 
reported, and the nature of the 
exploits potential end result 
(denial of service, for exam- 
pie). 

After the initial evaluation, 
a request for comments is sent 
to a coordination team consist¬ 
ing of the Joint Task 
Force-Computer Network De¬ 
fense, Service CERTs, and joint 
system program managers. 
This team provides input in 
determining the type of notifi¬ 
cation to be generated. After 
coordination, the notification 
is disseminated in a variety of 
ways. Record message traffic 
(Automatic Digital Network 
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[AUTODIN] and Defense Mes¬ 
sage System [DMS]) is sent re¬ 
leasing an IAVA or IAVB to the 
C/S/A points of contact. The 
message is primarily for notifi¬ 
cation purposes, as well as as¬ 
signment of reporting time¬ 
lines. The message directs re¬ 
cipients to the DoD CERT Web 
site (http://www.cert.mil) for 
technical specifics and correc¬ 
tive action (s). An E-mail con¬ 
taining the technical informa¬ 
tion is also disseminated to all 
IAVA list serve addressees for 
the IAVA, IAVB, and technical 
advisories. List registration can 
be requested by sending an E- 
mail to cert@cert.mil. Dissem¬ 
ination is restricted to .mil and 
.gov domains. 

The reporting of receipt, 
compliance, and waiver infor¬ 
mation is accomplished via the 
unclassified or classified IAVA 
Web site. Normal reporting 
timelines are 5 days for report¬ 
ing receipt (IAVA and IAVB) 
and 30 days for reporting com¬ 
pliance (IAVA). Significant 
progress is being made in the 
automation of receipt acknowl¬ 
edgement and compliance re¬ 
porting, and as of October 1, 
1999 C/S/As have access to a 
greatly improved utility, pro¬ 
viding a more robust and effec¬ 
tive automated mechanism to 
report their status information. 


LT Beth A. Evans, USN is the 
Technical Analysis Division Chief for 
the DoD Computer Emergency Response 
Team, Defense Information Systems 
Agency, Arlington, Va. She received her 
B.S. in Business Administration from 
the University of California, Berkeley, 
CA in December 1990. LT Evans is cur¬ 
rently pursuing her M.S . in Information 
Systems from George Mason University, 
Fairfax, Va. She may be reached at 
evansb@ncr. disa.mil. 
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The following vulnera¬ 
bilities were addressed 
in the alerts and bul¬ 
letins disseminated by 
the end of July 1 999. 
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■ Daniel R. Walters 


n June 8-10 the Naval 
Information Operations 
Wargame 1999 (NIOW ‘99) at¬ 
tracted participants from the 
Fleet Commander in Chief 
(CINC), Numbered Fleet, Carri¬ 
er Battle Group (CVBG), Am¬ 
phibious Ready Group (ARG), 
and Marine Expeditionary Unit 
(MEU) staffs. Including ob¬ 
servers, more than 85 partici¬ 
pants from 29 joint and naval 
commands took part in the 
wargame. 

Personnel from the Fleet In¬ 
formation Warfare Center 
(FIWC), together with techni¬ 
cal staff from the Information 
Assurance Technology Analy¬ 
sis Center (IATAC), facilitated 
this seminar. The game was 
held at the Shifting Sands Con¬ 
ference Center, located at the 
Fleet Combat Training Center, 
Atlantic, Dam Neck, Virginia 
Beach, Virginia. 

NIOW '99 goals were to ex¬ 
amine operational and tactical 
information operations (10) 
planning at the CVBG and 
ARG/MEU level and to assess 
Naval 10 Mission-Essential 
Tasks (NMETs). To achieve 
these goals, the wargame had 
four objectives: 

• To educate participants and 
provide a professional forum 
to discuss and evaluate cur¬ 
rent and future naval 10 
issues 

• To evaluate several IO-relat- 
ed issues resulting from the 


information warfare (IW) at 
Sea Conference held at 
FIWC in March 1999 

• To identify and document 10 
Mission-Essential Tasks 
(METs) and doctrine issues 
arising from the game 

• To generate and disseminate 
operational and tactical IW 
guidance to support IW 
staffs deployed and ashore, 
consistent with FIWC’s role 
as the Naval IW Center of 
Excellence. 

The wargame structure in¬ 
cluded informational briefings, 
team play, and "hot washups." 
On June 8, a series of informa¬ 
tion and background briefings 
educated the players and pre¬ 
pared them for the game play. 


Following briefings on strate¬ 
gic and joint 10 policy, naval 
IW, and FIWC IW initiatives, 
the players were separated 
into three teams, one repre¬ 
senting a CVBG IW staff, a sec¬ 
ond representing an ARG/ 
MEU IW staff, and the third 
representing the IW interests 
of both Numbered Fleet and 
Fleet CINC staffs. A fourth 
team of experienced 10 per¬ 


sonnel from joint and DoD 
commands functioned as 
game play mentors, data col¬ 
lectors, and observers. The 
principle portion of the 
wargame occurred on June 
9-10 as the players participat¬ 
ed in three moves. Each move 
began with in-depth briefings 
on the intelligence scenario, 
the current situation, and the 
operational or tactical 10 mis¬ 
sion the players were to plan. 
In Move 1, the players consid¬ 
ered tactical 10 planning for 
routine operations in a South¬ 
west Asia scenario. Move 2 
presented the players with op¬ 
erational and tactical 10 plan¬ 
ning for nonpermissive Non- 
combatant Evacuation Opera¬ 
tion (NEO) operations in a cri¬ 


sis scenario with the CVBG 
and ARG/MEU acting as a 
joint task force. Finally, Move 
3 involved the players in con¬ 
ducting an evaluation of 10- 
specific METs as a result of 
their planning efforts during 
Moves 1 and 2. 

The moves all concluded 
with debriefings by each team 
to summarize the teams per¬ 
spective on 10 planning for 
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USS Theodore Roosevelt (CVN 71) aircraft carrier. U.S. Navy pho¬ 
tograph by Photographer's Mate 2nd Class George A. DelMoral. 


the scenario, evaluate its capa¬ 
bility to plan and execute 10 at 
the operational and tactical 
levels of conflict, and offer 
feedback on Naval 10 METs. 
The hot wash focused on cap¬ 
turing lessons learned from 
the game. Participants reached 
consensus on a number of key 
points, some of which are 
summarized as follows: 

• 10 planning is a difficult 
process, and areas of respon¬ 
sibility for coordination and 
execution of 10 are unclear, 
especially at the CVBG and 
ARG/MEU level. 

• 10 planning for the CVBG 
and ARG/MEU must start 
long before operations com¬ 
mence and must be integrat¬ 
ed throughout the Inter- 
Deployment Training Cycle 
(IDTC). 

• The need to integrate 10 in 
all operations is critical. Key 
to 10 integration is develop¬ 
ment and implementation of 
significantly improved 10 
planning tools at the num¬ 
bered fleet, CVBG, and 
ARG/MEU level. 

• Planning requirements and 
responsibilities for tactical 10 


planning and for a joint task 
force differ significantly. 

• Current intelligence produc¬ 
tion requirements are not 
focused to support 10 
requirements. 

• Naval personnel need more 
10 training and education 
than they now receive. 

Analysis of participant feed¬ 
back indicated that NIOW '99 
was educational and produc¬ 
tive, providing an outstanding 
forum for evaluating the naval 
10 planning process and 
METs. Most participants said 
that the game was an effective 


overview of naval 10 planning 
and that they left with an in¬ 
creased appreciation and un¬ 
derstanding of CVBG and 
ARG/MEU 10 coordination is¬ 
sues. Because of the success of 
the first naval 10 wargame, 
FIWC plans to conduct games 
on an annual basis to explore 
various aspects of naval 10. 

All wargame material, in¬ 
cluding a list of game partici¬ 
pants, all briefings, team de¬ 
briefings, the wrap-up mes¬ 
sage, and post wargame slide 
presentation, are available on 
the FIWC Secret Internet Pro¬ 
tocol Router Network (SIPR- 
NET) Web site (www. 
fiwc.navy.smil.mil). Questions 
and comments are welcomed 
and encouraged. 

Daniel R. Walters is Technical 
Director Fleet Information Warfare 
Center Norfolk, VA. He is also serves as 
Captain, U.S. Navy Reserve Crisis 
Response Planner for the Office of 
Secretary of Defense, Personnel and 
Readiness, Readiness and Training 
Plans and Policy Division. He received 
his B.S. in Chemistry from Wilkes 
University in 1972 and graduated from 
the Naval War College in 1997. He may 
be reached at td@fiwc.navy.mil. 
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TITLE COMPANY URL 


AAFID 

Purdue University 

http://www.cs.purdue.edu 

ACME 

Intermidia 

http://www.intermidia.icmc.sc.usp.br 

AID 

Brandenburg University 

http://www-rnks.informatik.tu-cottbus.de 

ALVA 

GE Corporate R&D 

http://www.crd.ge.com 

Alert-Plus 

Computer Security Products 

http: //www. compsec. com 

Argus 

Carnegie Mellon University 

ftp://ftp.sei.cmu.edu/pub/argus/ 
argus-1.7. beta, le/ 

ARMD 

George Mason University 

http://www.isse.gmu.edu/-jllin/system 

ARPMon 

University of Illinois 

http://www-commeng.cso.uiuc.edu/docs/ 
jacques/software/arpmon.html 

ASAX 

University of Namu 

http://www.info.fundp.ac.be/~cri/ 

DOCS/asax.html 

ASIM 

U.S. Air Force 

http: //www. afi wc. aia. af. mil/ 

Black Ice 

Network ICE 

http://www.networkice.com/products/ 

blackice 

Bro 

Lawrence Berkely Laboratory 

http: //www. aciri.org/vern/bro-info. html 

Centrax 

CyberSafe Corporation 

http: //www. centrax. net/products, html 

CMDS 

SAIC/ODS Networks Inc. 

http: //www. cmds. net 

CyberCop 

Network Associates 

http://www.nai.com/asp_set/products/ 
tns/cybercop_intr usion. asp 

Dragon 

Network Security Wizards 

http://www.network-defense.com/ 

dragon.html 

EMERALD 

SRI International 

http: / /www. csl.sri.com/emerald/index. html 

Flight Jacket 

Anzen Computing 

http: //www. anzen. co m/afj / 

Gabriel 

Los Altos Technologies 

http: //www. lat. com/gabe. htm 

GrIDS 

University of CA^Davis 

http://olympus.cs.ucdavis.edu/arpa/ 

grids/welcome.html 

Hummer 

University of Idaho 

http://www.csds.uidaho.edu/-hummer/ 

Ifstatus 

IBM 

http: //www. ers. ibm. com/ ~ davy/software/ 
ifstatus.html 

INTOUCH INSA 

Touch Technologies, Inc. 

http: //www. ttisms.com/tti/nsa_www. html 
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TITLE 


COMPAWY 


URL 


1ST 

Internet Security Systems 

http://www.iss.net/prod/isb.php3 

ITA 

AXENT Technologies, Inc. 

http://www.axent.com/product/smsbu/ 
ITA/default.htm 

JiNao 

MCNC/NCSU 

htt p: / / www. anr. mcnc.org/ J iNao. html 

KSM 

RSA Security, Inc. 

http://www.rsasecurity.com/products/ 
intrusion/ 

NADIR 

Los Alamos National Lab 

http: //wwwc3. lanl. gov: 80/cic3/ 
home/projects.html 

Net Stat 

University of CA—Santa Barbara 

http://www.cs.ucsb.edu/~kemm/ 

netstat.html/ 

NetRanger 

Cisco Systems, Inc. 

http://www.cisco.com/warp/public/cc/ 
cisco/mkt/security/ 

NFR 

Network Flight Recorder, Inc. 

http: //www. nfr. net 

NID 

Lawrence Livermore Lab 

http://ciac.llnl.gov/cstc/nid/nid.html 

NIDES 

SRI International 

http://www.sdl.sri.com/nides/ 

NOCOL 

Marquette University 

http: //www. mscs. mu. edu/contact. html 

POLYCENTER 

Compaq Computer Corp 

http: //www. d igital .com/info / se cu rity / id. htm 

PreCis 

PRC Inc. 

http://www.bellevue.prc.com/precis/ 

index.htm 

RealSecure 

Internet Security Systems 

http://www.iss.net/prod/rs.html 

SecureNet PRO 

MimeStar, Inc. 

http: / / www. mimes tar. com 

Session Wall-3 

Computer Associates 

http: //www. abirnet.com/sw3intro. html 

Snort 

Stanford Telecommunications, Inc. 

http: / / www. dark. net/—roesch 

Stake Out 

Harris Corporation 

http://www.stakeout.harris.com/ 

Swatch 

Stanford University 

http://www.stanford.edu/~atkins/swatch 

Tripwire 

Tripware Security Systems 

http: //www. tripwiresecurity. com 

T-sight 

En Garde Systems, Inc. 

http://www.engarde.com/software/ 
t-sight/index. html 

UNICORN 

En Garde Systems, Inc. 

http: / / www. EnGarde. com/ ~ men/ 
unicorn.html 

USTAT 

University of CA—Santa Barbara 

http://www.cs.ucsb.edu/TRs/TRCS93-26.html 
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Automated Intrusion 
Detection Environment 


ncreased reliance on infor¬ 
mation systems requires 
maximum system integrity. Al¬ 
though absolute system integri¬ 
ty is not achievable, it is possi¬ 
ble to warn commanders of at¬ 
tempted system attacks in real 
time. This warning has limited 
utility if it concerns only the 
local level. Effective defensive 
information operations (DIO) 
entails a comprehensive under¬ 
standing of system operations 
on a global level. A critical DIO 
component is the ability to 
warn of suspicious activities 
across various command lev¬ 


els. The objective is to secure 
local networks, detect coordi¬ 
nated attacks at designated re¬ 
gional levels, and enhance the 
global picture of real-time 
threats to DOD-wide systems. 
The Automated Intrusion De¬ 
tection Environment (AIDE) is 
designed to address the chal¬ 
lenge of determining whether 
the information grid is under 
attack. 

AIDEs goal is to reduce false 
positive reporting and create a 
tactical warning capability 
across the warfighters’ infor¬ 
mation grid. To this end AIDE 


■ Brian T. Spink 
Brad Jobe 


will create a multitiered inte¬ 
gration environment, incorpo¬ 
rating stand-alone sensors and 
correlating sensor information 
at different command echelons. 
AIDE leverages existing com¬ 
mercial off-the-shelf (COTS) 
and government off-the-shelf 
(GOTS) technologies that in¬ 
clude intrusion detection, en¬ 
terprise management, object- 
oriented design, process visual¬ 
ization, and knowledge engi¬ 
neering. 


Tool/Technologies 

Intrusion 

Detection 


Firewall 

L — 

SW Integrity 

L — 


Virus 

Checkers 


L 


Network 
Management. 


Interface 

Layer 


Integration Infrastructure 

Correlation 





Data 

Visualization 


w, 

Law Enforcement 


i/Ang 


Operations 


Communication/ Intelligence 
Computers 


Deployed Systems 


N 

E 

T 

W 

0 

R 

K 


R-CERT 




LCC LCC 


Figure 1. Architecture of the AIDE System 
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AIDE A rabitocturo 

The AIDE architecture 
shown in Figure 1 is composed 
of sensors, sensor interfaces, 
normalization, integration en¬ 
vironment, data storage, and 
the communication topology. 
An AIDE goal is to incorporate 
whatever sensors are in place 
at an installation, rather than 
prescribing certain sensors. To 
determine the desired baseline 
of intrusion detection, network 
management, and firewall 
products, an AIDE team sur¬ 
veys installation sites. Once it 
identifies the sensors, the sen¬ 
sor interfaces to send data to 
the AIDE integration environ¬ 
ment are developed. 

Gensyms G2 intelligent en¬ 
terprise management software 
creates the basic integration in¬ 
frastructure. This software ap¬ 
plies real-time rule-based rea¬ 
soning to network manage¬ 
ment data, activity sensor data, 
and intrusion detection infor¬ 
mation derived from distrib¬ 
uted sources in real time. 

Raw sensor data and corre¬ 
lated event information are 
stored in an Oracle database. 
Users from local, regional, and 
global sites can gain access to 
detailed data from the Web 
server installed on the system. 
This feature allows the system 
to push small amounts of infor¬ 
mation, while allowing users at 
all levels to pull the supporting 
data they need to the appropri¬ 
ate level. 

The communication topolo¬ 
gy requires secure hierarchical 
and lateral reporting. The over¬ 
all AIDE concept calls for 
three-tier reporting: local con¬ 
trol centers (LCC) report to re¬ 
gional computer emergency re¬ 
sponse teams (R-CERT), which 
report to a global network oper¬ 
ations and security center 
(GNOSC). Figure 2 depicts the 
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Figure 2. Hierarchical Reporting Structure 


hierarchical reporting struc¬ 
ture. Systems at each level can 
also report laterally (LCC to 
LCC, or R-CERT to R-CERT). 

Each node in the system can 
be dynamically configured to 
send its alerts to any or all of the 
other nodes in the network. A 
node receives all alerts sent to it 
(that is, the configuration speci¬ 
fies only outbound constraints). 
This capability allows AIDE to 
be customized to conform to 
each site’s reporting policy. 

Improving Network-* 
wide Detection 

Network connectivity signifi¬ 
cantly improves the ability to 
detect network-wide, coordinat¬ 
ed attacks. Individual sites can 
detect local intrusions in isola¬ 
tion, but regional centers can 
correlate intrusions reported 
by multiple local sites. This 
function is actually the major 
purpose of an R-CERT. When 
more than one local site report¬ 
ing to the same R-CERT reports 
intrusive behavior, the R-CERT 
AIDE operator can immediate¬ 
ly compare the behaviors and 
draw conclusions about the na¬ 
ture of the attack. This capabil¬ 


ity allows the R-CERT to alert 
its other LCCs that an attack 
may be forthcoming and pro¬ 
vide a consolidated report to 
the GNOSC. 

The GNOSC can serve the 
same function, correlating 
events at local sites that report 
to different R-CERTs. The 
GNOSC provides a single per¬ 
spective on the state of the en¬ 
tire network covered by the 
AIDE system. It can alert sites 
to intrusions as they are hap¬ 
pening, so administrators can 
take immediate action to limit 
any damage and reduce the at¬ 
tack s effectiveness. 


Brian Spink is an electronic engineer 
with the Air Force Research Laboratory 
in Rome, NY. He received his B.S. ECE 
from Clarkson University and his M.S. 
ECE from Syracuse University. He may 
be reached at spinkb@rLaf.mil. 

Brad Jobe is a senior program analyst 
for Litton PRC in Rome, NY. He received 
his B.S. from South Dakota State 
University and his M.B.A. from Colorado 
State University. He may be reached at 
jobeb@rl.af.mil. 
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The Information Assurance Program Management Office (IPMO) at the Defense 
Information Systems Agency (DISA) now offers the training and awareness CD- 
ROMs and videos listed in this article. Use form to order > 





CyberProtect —An interac- 
tive computer network defen¬ 
sive exercise that looks and 
feels like a video 
game. It is intended to 
familiarize players 
with information se¬ 
curity (INFOSEC) ter¬ 
minology, concepts, 
and policy. Players learn about 
defensive security tools and 
seek to deploy them judiciously 
on a simulated network. They 
face a spectrum of security 
threats and must make practi¬ 
cal decisions about allocating 
resources (in quarterly incre¬ 
ments) using risk analysis and 
risk management considera¬ 
tions. Play is divided into four 
sessions, simulating a fiscal 
year. After each session, play¬ 
ers receive feedback on how 
well they are doing. At the end 
of the last session, players are 
given a report summarizing 
their cumulative operational 
readiness rating. The report 
also details every attack by 
type, origin, and effectiveness 
of defensive tools. 


System Administrator In¬ 
cident Preparation and 
Response for Windows 
NT—is an interactive multime¬ 
dia training CD-ROM. 


1 ’ • 1W 



| It provides a virtual 
t hands-on experience, 


| taking the student 
through the steps nec¬ 
essary to configure 
networks to collect and protect 
event information that may be 


useful for investigating suspect¬ 
ed unauthorized activity. The 
user learns what techniques 
are often used to commit com¬ 
puter crimes, what information 
to collect before an incident, 
how to prepare systems for pos¬ 
sible incidents, how to imple¬ 
ment policies, how to log and 
recognize unauthorized activi¬ 
ty, and how to respond to sus¬ 
pected unauthorized activity. 
Other topics covered include 
policies and procedures to sim¬ 
plify a computer emergency in¬ 
vestigation, audit strategy, 
audit implementation, recogni¬ 
tion of unauthorized activity, 
and security incident notifica¬ 
tion and response strategies. A 
glossary of terms and links to 
service and agency computer 
emergency response teams are 
provided for reference. This 
CD-ROM is a product of the 
DoD Computer Investigations 
Training Program (DCITP). 



Protect Your AIS: The Se¬ 
quel —This U.S. Government 
video dramatizes INFOSEC-re- 
lated concerns in the work¬ 
place. The scenes demonstrate 
the need for password protec¬ 
tion, virus prevention, data 
safeguards, user identification 
(ID) security, and controlled 
access to computer equipment. 
(30 minutes) 

Dr. D. Stroye —This U.S. Gov¬ 
ernment video discusses cor¬ 
rect methods for magnetic 
media destruction, while pro¬ 


viding humorous examples of 
how not to destroy data safely. 
(8 minutes) 

The Scarlet V— This U.S. 
Government video discusses 
the need to use virus-scanning 
software on a regular basis to 
prevent file infection. It comi¬ 
cally depicts the life of an indi¬ 
vidual who inadvertently intro¬ 
duces a virus into a networked 
system. (8 minutes) 

Safe Data: It’s Your Job— 

This Department of Labor 
video is relevant to DoD be¬ 
cause it focuses on the need to 
safeguard sensitive but unclas¬ 
sified data, such as medical 
records and personnel files. It 
discusses ways to secure data to 
prevent sensitive information 
from getting into the wrong 
hands and emphasizes the role 
of the end user in computer 
and network security. It also of¬ 
fers tips for preventing data 
from being compromised by 
hackers and unauthorized 
users, such as good password 
management, virus protection, 
and physical security. (19 min¬ 
utes) 

Think Before You Re¬ 
spond —This NRO video deals 
with Internet security, stress¬ 
ing the need for viewers to be 
careful about the information 
they share. It encourages cau¬ 
tion when discussing topics in 
live chat sessions or responding 
to requests for information. (3 
minutes) 


< 
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Order Form 



How did you hear about our products? 

o World Wide Web o Word of Mouth 
o *Conference o *Class o ‘Other 

‘Specify_ 


INFOSEC Program Management Office 

5113 Leesburg Pike, Suite 110 
Falls Church VA 22041-3204 
Attn: Product Distribution 

Commercial: 703-681-7944/3476 DSN: 761 
Fax: 703-681 -1386 
E-mail: DODIAETA@ncr.disa.mil 
Homepage: http://www.disa.mil/infosec 


Name 


Title 

Command/Org/Agency 


Dept/Mail Code Phone: (. 

Address 


Fax:( 

Citv State 

_Zip+4_ 

E-Mail 


NOTE: If you have ordered IPMO Products before and your address has changed, mark here Q 


Date_ 

_DSN 


Mark appropriate organization: 

O OSD O Joint Staff Q ClNC (specify)_ QArmy QNavy Q Marines OAir Force Q Coast Guard 

O Defense Agency (name)_ 

O Non-Defense Agency (name)_ 

O Government Contractor (Agency contracting with)_ 

O Other_ 


Order Form ■■* 

Products are unclassified and available at no cost. Videos may be reproduced (for government use only) without further 
permission. 


Multimedia CD-ROMs 


Videos 


o DODor... Q Federal INFOSEC Awareness, V.1 
(Select One) 

o Operational Information Systems Security 
(OISS), Vols. 1 and 2, V.1.2 (Set of two) 

o Fortezza Installers Course for Windows NT 4.0, V.1 

O Introduction to the DITSCAP, V.1.1 

o Information Age Technology, V.1.03 

o IA for Auditors and Evaluators, V.1.04 

o Designated Approving Authority (DAA) Basics, V.1 

O CyberProtect, V.1 New! 

o System Administrator Incident Preparation & Response 

(SAIPR) for Windows NT, V.1.1 (for System Administrators) New! 


O Understanding PKI (DOD) (13 min) 

r~ Networks at Risk (NCS) (10 min) 

Information Front Line (IW) (1C) (10 min) 

I— Bringing Down the House (IW)(NSA) (11 min) 

r\ r- Computer Security 101 (DOJ) (11 min) 

Computer Security - The Executive Role (DOJ) (9 min) 
Safe Data: It’s Your Job (DOL) (19 min) 

1— Think Before You Respond (US Gov) (3 min) 


o 


r- Protect Your AIS (US Gov) (6 vignettes) 

Protect Your AIS, The Sequel (US Gov) (30 min) 
Dr. D Stroye (US Gov) (8 min) 

— The Scarlet V (US Gov) (7 min) 


o Exploring MISSI (DISA/NSA) (10 min) 


Upcoming Products 

Information Operation Fundamentals - Winter 99 
(Multimedia CD-ROM) 


rev. 23 Sept 99 


To register for the IA Newsletter, visit http://www.iatac.dtic.mil/products.htm 
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S ilentRunner™ is a network 
security tool kit recently 
released by Raytheon. It is a 
passive, multifunctional net¬ 
work discovery, visualization, 
and analysis (DVA) system that 
provides real-time auditing and 
monitoring. The analytical en¬ 
gine replicates network activity 
and provides a wide variety of 
two- and three-dimensional 
(2D, 3D) views to enhance 
users’ understanding of com¬ 
plex networks. 

Operationally, SilentRunner" 
maps topology and displays net¬ 
work data for analysis. It shows 
network activity and links in¬ 
formation concerning each ter¬ 
minal. It also shows both physi¬ 
cal and virtual relationships, 
who contacts whom, communi¬ 
cation paths, and traffic flow 
and density. SilentRunner™ can 
play back recorded data se¬ 
quences for detailed net¬ 
work analysis and can in¬ 
tegrate other types of data 
to provide a complete pic¬ 
ture of the activity under 
investigation. For example, 
SilentRunner” may receive 
external sensor data inputs 
and present the inputs in a 
common view with the 
network data. External 
sensor data such as physi¬ 
cal security logs, private branch 
exchange (pbx) logs, and intru¬ 
sion detection probe data have 
successfully been assimilated, 
displayed, and analyzed. Silen- 
tRunner* can be used for post¬ 
intrusion analysis, comple¬ 
menting administrative net¬ 
work security efforts. As de¬ 
scribed below, the DVA modules 


use both data and meta-data to 
perform context analysis on re¬ 
constructed information. 

SilentRunner’s software tool 
kit has four patent applications 
pending. The system is com¬ 
posed of six discrete software 
modules and is available in two 
versions (laptop computer and 
enhanced workstation). The 
software modules are the col¬ 
lector module (CM), knowledge 
base (KB) data parsing, analyti¬ 
cal engine (AE), display, man- 
machine interface (MMI), and 
external sensor (ES). The en¬ 
hanced workstation provides 
more analytical capability than 
the deployable laptop and in¬ 
cludes 3D-display visualization, 
recorded data playback, and 
context analysis. 

CM is the application’s front 
end. It contains a family of au¬ 


tonomous, passive, local-area- 
network (LAN)-monitoring data 
acquisition tools. Additional 
tools for wide-area-network 
(WAN), computer code, and 
network heuristics are under 
development. The CM LAN tool 
collects data, presents 2D dis¬ 
plays, and stores the formatted 
data for the subsequent mod- 


■ Thomas Hudson 
Michael Maloney 


ules. This very robust module 
updates the 2D displays and 
databases in real time while 
providing packet decoding for 
up to 2,500 simultaneously ac¬ 
tive terminals without interfer¬ 
ing with the host network (Fig¬ 
ure 1). SilentRunner w dynami¬ 
cally graphs the network topol¬ 
ogy, reconstructs sessions for 
seven standard protocols, and 
identifies and labels unknown 
packets. It incorporates opera¬ 
tor-definable Boolean queries 
for alerts and displays network 
activity levels statistically for 
individual protocols and termi¬ 
nals on the network. 

The KB data parsing module 
uses a family of algorithms to 
transform the data stored in CM 
into formatted categories that 
the analytical engine 
modules require. The 
module currently con¬ 
sists of eight indepen¬ 
dent selectable func¬ 
tions, with each function 
having many selectable 
sub-functions. Major 
parsing modules are 
parse, E-mail, join, Web 
tool, graphics, summing, 
file tool, and column. 
Parse formats traffic data 
into 15 selectable options. For 
example, parse can sort data by 
domain, host, Internet Protocol 
(IP) address, MAC address, and 
other fields. The join, Web tool, 
graphics, summing, file tool, 
and column parsing modules 
have similar sorting capabili¬ 
ties. 



Figure 1. SilentRunner network view shown in 2-D. 
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AE is the dynamic graphic 
module that accepts data from 
the KB data-parsing module and 
presents an array of relational 
data sets in a 2D display. The 
module’s basic function is to 
render large (hundreds of 
megabytes) data files into visual 
representations that convey 
meaningful information about 
the data. This module consists 
of two distinct sub-modules that 
run on different platforms. On 
the laptop, AE operates in a Mb. 
crosoft Windows NT environ¬ 
ment, whereas the enhanced 
workstation is a Unix platform. 
Compared with the laptop, the 
enhanced workstation has a 
higher central processing unit 
(CPU) speed, giving it greater 
analytical power and additional 
analytical features such as net¬ 
work traffic playback, context 
analysis of text, and graphics. 

The 3D display module ac¬ 
quires data from the enhanced 
AE or KB data parsing modules. 
The analyst specifies a third 
axis for display purposes. This 
module can capture and display 
in 3D a variety of complex rela¬ 
tional data sets that would be 
obscured by traditional 2D dis¬ 
play methods. The module can 
display a large number of 
nodes, up to 10,000 simultane¬ 


ously. The node diagrams are 
produced by using node im¬ 
plode and explode techniques. 
The imploded diagram main¬ 
tains full functionality with re¬ 
spect to every node in the origi¬ 
nal diagram. Animation of the 
nodal diagram, a unique fea¬ 
ture, permits different types of 
network traffic to be shown as 
colored icons as the traffic 
moves between nodes while the 
operator rotates the entire node 
diagram to any position. 

MMI and ES are the last two 
modules in the SilentRunner” 
architecture. The MMI software 
provides the operator with a 
user-friendly interface. This 
module also controls equip¬ 
ment configuration, data collec¬ 
tion, data storage, visualization, 
and analysis. ES integrates ex¬ 
ternal data for DVA purposes. 

SilentRunner™ should com¬ 
plete the National Security 
Agency (NSA) Security Proof-of- 
Concept Keystone (SPOCK) ver¬ 
ification by mid-November 
1999. SPOCK verification is con¬ 
ducted by an NSA-sponsored 
consortium of government sys¬ 
tem integrators and commercial 
information security (INFOS- 
EC) solution developers that 
meet regularly to discuss 
emerging solutions and en¬ 


abling technologies. When 
unique tools like SilentRunner™ 
are introduced, the consortium 
forms a team to verify vendor 
claims. The final SPOCK report 
on SilentRunner” should be 
published before year-end. The 
Raytheon Lithicum office is re¬ 
sponsible for developing and 
sustaining SilentRunner”. 


Tom Hudson is the Director of 
Integrated Information Systems with 
Raytheon Systems Company A retired 
Army Intelligence Officer he received a 
Masters in Computer Science and Civil 
Engineering from West Virginia 
University. He was the Deputy Director 
of the Army Land Information Warfare 
Activity (LIWA), 1994/98. He may be 
reached at thudson@re-ro.com 

Mike Maloney is the inventor and lead 
IR&D program manager for this project 
at Raytheon Systems Company. Prior to 
joining Raytheon, Mike was a Technical 
Director at the National Security Agency 
(NSA). While at NSA he was involved in 
the design and development of all types of 
collection and processing systems. In 
1978 he received his M.S. in Engineering 
from George Washington University and 
has an B.S. in Electronic Engineering 
from the University of Detroit. He may be 
reached at m5m@hrb.com. 
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Figure 4. SilentRunner' network DVA Tool. 
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T he IATAC Steering Com¬ 
mittee recently convened 
to review ongoing activities and 
provide technical guidance and 
direction for future IATAC oper¬ 
ations. In addition, the steering 
committee also provides a 
forum to discuss critical issues, 
facilitate the exchange of ideas, 
and build upon the expanding 
knowledge-base for informa¬ 
tion assurance and defensive 
information operations. Com¬ 
mittee members represent the 
broad DoD Information Assur¬ 
ance community to include op¬ 
erations, policy, research and 
development, and soon to in¬ 
clude acquisition elements. As 
a result of the meeting, IATAC 
has undertaken several new 
initiatives to enhance opera¬ 
tions and respond to emerging 
warfighter needs. These initia¬ 
tives include the following: 

information Assur¬ 
ance (IA) Newsletter 
IATAC will transition to elec¬ 
tronic distribution of the IA 
Newsletter. Hard copies of the 
newsletter will be available 
upon request and at confer¬ 
ences and symposia. 


Collection Activities: 
Insider Threat 

IATAC has increased its col¬ 
lection activities on the "insider 
threat.” Collection activities 
focus on the technology aspect 
of the insider threat and not 
necessarily on social engineer¬ 
ing or the human element. 
Specifically, what tools, tech¬ 
nologies, or research and devel¬ 
opment activities are available 
that can be applied to respond 
to the insider threat problem. 

IA Tools Reports 

The scope of the IA Tools Re¬ 
ports (e.g., Intrusion Detection, 
Vulnerability Analysis, Fire¬ 
walls) will change from its cur¬ 
rent format of providing de¬ 
scriptions of tools to an im¬ 
proved format that focuses on 
the evaluation of individual 
tools. IATAC will provide short 
descriptions of the tool, refer¬ 
ence evaluations conducted by 
other DoD entities and possibly 
commercial reviews, and pro¬ 
vide an assessment of state-of- 
the-art for that particular tech¬ 
nology. 


< 


20 



m Mr. Robert P. Thompson 
Director, IATAC 


Technical Report: 
Visualization 

Warfighters are inundated 
with massive amounts of data 
related to network monitoring 
and intrusion detection. This 
data must be fused and cross- 
referenced with intelligence 
data as well as technical intru¬ 
sion data. To address this data 
fusion problem, IATAC will 
conduct a survey and develop a 
state-of-the-art report (SOAR) 
on visualization technologies 
and its application to informa¬ 
tion operations and informa¬ 
tion assurance. 

Technical Report: 
Defense-In-Depth 

Security architecture associ¬ 
ated with Defense-In-Depth re¬ 
quires further definition. IATAC 
will develop a technical report 
that focuses on emerging tech¬ 
nologies that support a Defense- 
In-Depth strategy (e.g., at User, 
System Administrator, Enclave, 
and Network levels). 

Technical Report: 
What is Good 
Enough Security? 

IATAC will develop a report 
that examines information as¬ 
surance metrics and security 
architectures that answer the 
question—how do you know 
your security is any good? 

For more information on 
IATAC initiatives, contact Bob 
Thompson at 703.289.5454 or 
via e-mail at iatac@dtic.mil. 
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The lAnewsletter 


T he lAnewsletter will be available for electronic distribution 
(pdf format) beginning with the Fall 1999 issue. Please take a 
moment and either E-mail (iatac@dtic.mil) or fax (703.289.5467) 
your format preference for receiving future issues of the newslet¬ 
ter, including the following information: 

Full Name: _ 

Mailing Address: _ 


E-mail Address: _ 

I would like to receive: □ Electronic □ Hard copy 
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continued from page 4 

ture. The system will ini¬ 
tially be bilateral between 
the United States and par¬ 
ticipating nations (PNs) but 
can later be expanded to 
multilateral if all partici¬ 
pants agree. 

Like all the USSOUTH- 
COM information-sharing 
networks, SCIES is intend¬ 
ed primarily to expedite 
event coordination, pro¬ 
mote data sharing between 
United States and partici¬ 
pating nations, encourage 
bilateral and multilateral 
data sharing, increase the 
effectiveness of U.S. sup¬ 
port to participating na¬ 
tions’ operations, and, most 
importantly, promote re¬ 
gional cooperation. These 
networks provide a cost-ef¬ 
fective approach to achiev¬ 
ing these objectives 
through the use of informa¬ 
tion technology to share in¬ 
formation and disseminate 
it to participating nations. 

IATAC readers may ac¬ 
cess AMNET by visiting the 
Americas’ Net home page 
at h ttp: / / www. reddelas 
americas.net. The follow¬ 
ing identifier and password 
will allow readers access: 
user name, iatacguest; 
password, 67Pm3Rp8. 


Lt Col Pettigrew is the Chief, 
Information Assurance Division, 
Directorate of Command, Control 
Communications Computers and 
Intelligence (C4I), USSOUTHCOM . 
He received his B.S. from King 
College in Bristol, TN and his 
M.S./MJ.S. in 1987 from the 
University of Arizona, Tucson. Lt 
Col Pettigrew may be reached at 
pettigrj @reddelasamericas. net. 
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Intrusion Detection 
Tools Report 

This newly updated report 
provides an index of intrusion 
detection tool descriptions 
contained in the IA Tools Data¬ 
base. Research for this report 
identified 47 intrusion detec¬ 
tion tools currently employed 
and available. 


.» JATAC ft 



Data Embedding 
for Information 
Assurance SOAR 

Provides an assessment of the 
state-of-the-art in data embed¬ 
ding technology and its applica¬ 
tion to information assurance. It 
is particularly relevant to: infor¬ 
mation “providers” concerned 
about intellectual property pro¬ 
tection and access control; in¬ 
formation “consumers” who are 
concerned about the security 
and validation of critical infor¬ 
mation; and law enforcement, 
military, and corporate organi¬ 
zations concerned about efforts 
to communicate covertly. The 
report has been specifically de¬ 
signed for readers who are not 
experts in data embedding. For 
those desiring more in-depth in¬ 
formation, the bibliography pro¬ 
vides an extensive list of author¬ 
itative sources from which the 


reader can obtain additional 
technical detail. 

Computer Forensics- 
Tools and Methodology 

The primary focus of this re¬ 
port is a comparative analysis of 
currently available software 
tools that are used in computer 
forensic examinations. For read¬ 
ers who are unfamiliar with 
computer forensics, this report 
provides a useful introduction 
to this specific area of science, 
and offers practical high-level 
guidance on how to respond to 
computer system intrusions. 
For all readers, however, this re¬ 
port provides a useful analysis 
of specific products, including 
their respective capabilities, 
unique features, cost, and asso¬ 
ciated vendors. 

Firewall Tools Report 

This report provides users 
with a brief description of avail¬ 
able firewall tools and contact 
information. Currently the IA 
tools database contains 46 fire¬ 
wall tools that are available in 
the commercial marketplace. 

Malicious Code 
Detection SOAR 

This report includes is a tax¬ 
onomy for malicious software 
providing a better understand¬ 
ing of commercial malicious 
software. An overview of the 
state-of-the-art commercial 
products and initiatives, as well 
as future trends is presented. 
The report presents observa¬ 
tions and assertions to support 
the DoD as it grapples with this 
problem entering the 21st cen¬ 
tury. This report is classified 
and has a limited release. 
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Modeling & Simula” 
tion Technical Report 

This report, released Decem¬ 
ber 1997, describes the models, 
simulations and tools being 
used or developed by organiza¬ 
tions within DoD. Data collec¬ 
tion efforts focused on the defi¬ 
nitions of Information Opera¬ 
tions, Information Warfare, and 
IA as described in DoD Direc¬ 
tives S-3600.1 and 6510.1 As well 
as the definitions prescribed by 
DMSO for model and simula¬ 
tion. 

Biometrics: Finger¬ 
print Identification 
Systems 

Focuses on fingerprint bio¬ 
metric systems used in the veri¬ 
fication mode. Such systems, 
often used to control physical 
access to secure areas, also 
allow system administrators ac¬ 
cess control to computer re¬ 
sources and applications. Infor¬ 
mation provided in this docu¬ 
ment is of value to anyone de¬ 
siring to learn about biometric 
systems. The contents are pri¬ 
marily intended to assist those 
individuals who are responsible 
for effectively integrating fin¬ 
gerprint identification products 
into their network environ¬ 
ments to support the existing se¬ 
curity policies of their respec¬ 
tive organizations. 

Vulnerability Analysis 
Tools Report 

This report summarizes perti¬ 
nent information, providing 
users with a brief description of 
available tools and contact infor¬ 
mation. Currently the IA Tools 
database contains descriptions 
of 35 tools that can be used to 
support vulnerability and risk 
assessment. 
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calendar 



Information Systems 
Security Expo (ISSE) '99 
Arlington, VA 

Call J. Spargo & Associates 
703.631.6200 


December 

1-2 


TechNet Europe '99 
Renaissance London 
Heathrow Hotel 

http://afcea.org/tne99/default.htm 



26 


ShadowCon 
NSWC Dahlgren, VA 
Call 877.921.0612 
www.TechnologyForums.com 


October 31- 
November 3 



15-17 


MILCOM 1999 

Into the Next Millennium- 

Evolution of Data Into Knowledge 

Atlantic City, NJ 

www.milcom1999.com 


February 

8-10 

9-11 


Fort Lewis/DISC4 Information 
Assurance Workshop & 
Accreditation Program 
Tacoma, WA 
Call 877.921.0612 
www.TechnologyForums.com 

26th Annual Computer Security 
Conference & Exposition 
Washington, DC 
Marriott Wardman Park 
www.gocsi.com 


22- 25 



April 

3-5 


16-18 


TechNet Asia-Pacific '99 
Honolulu, HI 

Call J. Spargo & Associates 
703.631.6200 




Information Assurance Technology Analysis Center 
3190 Fairview Park Drive 
Falls Church, VA 22042 


Space & Missile Systems 
Center Information Assurance 
Technology Forum 
San Pedro, CA 
Call 877.9210612 
www.TechnologyForums.com 

The Colorado Springs Military 
Information Assurance 
Technology Forum 
Colorado Springs, CO 
Dec. 8th - Schriever AFB 
Dec. 9th - Peterson AFB 
Call 877.9210612 
www.TechnologyForums.com 

DISA 4th Annual IA Workshop 

Holiday Inn Hampton Hotel 
Hampton, VA 

AFCEA West 2000 

San Diego Convention Center 
San Diego, CA 

SPACECOM 2000 

Space Communications- Key to 
Information Operations 
Colorado Springs, CO 
Call Michael J. Varner 
719.590.1051 

InfoSec World Conf & Expo 
Orlando, FL 
Call 508.879.7999 
www.misti.com 

Fiesta Informacion 2000 

San Antonio, TX 

Call J. Spargo & Associates 

703.631.6200 



